TABLE OF CONTENTS


Introduction

In the ever-evolving landscape of cybersecurity, staying ahead of threats is not just a necessity—it's a responsibility. Recently, the cybersecurity community has been alerted to a series of significant vulnerabilities within the container ecosystem, specifically identified as CVE-2024-21626, among others. These vulnerabilities, affecting critical components such as runc, BuildKit, Moby (Docker Engine), and Docker Desktop, pose a substantial risk to the integrity and security of applications leveraging containerization technologies.



Understanding the Leaky Vessels Vulnerabilities

On January 31, 2024, cybersecurity researchers unveiled the discovery of four severe vulnerabilities that could potentially compromise the security of countless applications. The most concerning among these, CVE-2024-21626, involves a scenario where leaked file descriptors in runc could allow attackers access or modification capabilities over the host filesystem, essentially enabling a full container escape when malicious images are executed or built.


These vulnerabilities become particularly exploitable when users interact with malicious content, whether knowingly or unknowingly. This interaction can stem from a variety of activities, including but not limited to, building Docker images from untrusted sources, falling prey to supply chain attacks, or executing containers from dubious images and registries.



Aqua's Secure Stance

In light of these discoveries, we at Aqua Security wish to reassure our customers and the wider community about the robustness of our security posture. A thorough review has confirmed that Aqua images are not susceptible to the vulnerabilities outlined, including the critical CVE-2024-21626. Although our images do incorporate runc libraries, these are categorized as indirect dependencies and thus do not present a vulnerability vector in our environment.


It is essential to understand that vulnerability to these risks requires a container to run another container within it, capable of executing malicious code to exploit these vulnerabilities. Aqua's Server, Gateway, and Scanner components operate without running containers within them. While the Aqua Enforcer component does execute containers for local image scanning purposes, it does not run any code that could potentially exploit this vulnerability.



Our Ongoing Commitment

Awareness and vigilance are key in mitigating the impact of these vulnerabilities. As such, we are proactively working to patch our images and will provide updates, including ETA and version release information, via our official blog.


We understand the importance of trust and transparency in our relationship with our customers. Our team is dedicated to ensuring the highest standards of security and will continue to monitor, update, and inform our community about any developments.



2022.4 Update 27: Addressing the Leaky Vessels Vulnerability

In our dedication to maintaining the highest level of security for our customers, we are excited to announce that the forthcoming 2022.4 Update 27 will address and resolve the vulnerabilities associated with CVE-2024-21626. Our team is currently finalizing the update, ensuring that every aspect of the patch meets our rigorous standards for security and performance.

We are committed to releasing 2022.4 Update 27 as swiftly as possible, with a focus on quality. This approach ensures that when the update is deployed, our customers can be confident in the security of their systems. We understand the urgency of this matter and are working diligently to bring 2022.4 Update 27 to you without compromising on the quality that defines Aqua Security.

Stay tuned to our official docs for the latest updates, including the release announcement of 2022.4 Update 27. We appreciate your patience and trust in Aqua Security as we fine-tune this crucial update!



Conclusion

Aqua Security remains steadfast in our commitment to protecting our customers against the latest cybersecurity threats. By leveraging our security solutions and adhering to best practices, we assure our customers that their trust in us is well placed. For further details and updates, we encourage you to visit our docs and stay informed about how we are continuously enhancing our defenses against threats like the Leaky Vessels vulnerabilities.


We appreciate your trust in Aqua Security, and we are dedicated to delivering the peace of mind that comes from knowing your applications are secure.



Additional Resources

[1] https://blog.aquasec.com/mitigating-leaky-vessels-vulnerabilities-in-runc-buildkit-and-moby-with-aqua

[2] https://nvd.nist.gov/vuln/detail/CVE-2024-21626

[3] https://docs.aquasec.com/v2022.4/release-information/update-releases/

image